Trust-Based Intrusion Detection in Wireless Sensor Networks

Transcription

1 Trust-Based Intrusion Detection in Wireless Sensor Networks Fenye Bao, Ing-Ray Chen, MoonJeong Chang Department of Computer Science Virginia Tech {baofenye, irchen, Abstract We propose a trust-based intrusion detection scheme utilizing a highly scalable hierarchical trust management protocol for clustered wireless sensor networks. Unlike existing work, we consider a trust metric considering both quality of service (QoS) trust and social trust for detecting malicious nodes. By statistically analyzing peer-to-peer trust evaluation results collected from sensor nodes, each cluster head applies trust-based intrusion detection to assess the trustworthiness and maliciousness of sensor nodes in its cluster. Cluster heads themselves are evaluated by the base station. We develop an analytical model based on stochastic Petri nets for performance evaluation of the proposed trust-based intrusion detection scheme, as well as a statistical method for calculating the false alarm probability. We analyze the sensitivity of false alarms with respect to the minimum trust threshold below which a node is considered malicious. Our results show that there exists an optimal trust threshold for minimizing false positives and false negatives. Further, the optimal trust threshold differs depending on the anticipated wireless sensor network lifetime. Index Terms Trust management, intrusion detection, wireless sensor networks, security, false positives, false negatives. I. INTRODUCTION A wireless sensor network (WSN) usually consists of a large number of tiny sensor nodes (SNs) deployed in an operational area for data sensing, aggregating, and processing. WSNs have been applied in transportation, agriculture, homeland security, and battlefield applications. The exposure to natural environments and the inherent unreliability of wireless transmission make a WSN vulnerable to many attacks []. SNs deployed in hostile environments for military applications also could be compromised through captures and become malicious. Moreover, due to severe resource constraints of SNs, such as energy, memory, and computational power, traditional energy-consuming defense mechanisms like publickey infrastructure [0] and host-based intrusion detection techniques [6] may not be feasible. Malicious attacks to WSNs can be classified into outsider attacks and insider attacks. While most outsider attacks such as spoofing, replay, and Sybil attacks can be prevented by authentication and cryptography, insider attacks are much harder to deal with. In this paper, we develop a trust-based intrusion detection system (IDS) scheme utilizing a highly scalable hierarchical trust management protocol for clustered wireless sensor networks to detect inside attackers. Unlike existing work, we consider not only QoS trust (energy and cooperativeness) derived from communication Jin-Hee Cho Computational and Information Sciences Directorate U.S. Army Research Laboratory jinhee.cho@us.army.mil networks but also social trust (honesty) derived from social networks [2] to judge if a node is compromised. We develop a probability model based on the stochastic Petri nets (SPN) to describe the behaviors of each SN or cluster head (CH). In our protocol, each node subjectively evaluates other peers periodically. With peer-to-peer trust evaluations reported from SNs, a CH obtains a comprehensive trust report toward all SNs in its cluster and can perform statistical analysis to identify and exclude malicious nodes in the network. CHs themselves are evaluated by the base station taking in peer-to-peer trust evaluation inputs from other CHs. This hierarchical structure reduces network traffic by eliminating cross-cluster communications among SNs. More importantly, we develop a statistical method to predict false positive and false negative probabilities and identify optimal design settings under which false positives and false negatives are minimized. In the literature, Wang et al. [8] proposed an intrusion detection mechanism based on trust (IDMTM) for mobile ad hoc networks (MANETs). They employed the concepts of evidence chain and trust fluctuation to evaluate a node in the network, with the evidence chain detecting misbehaviors of a node, and the trust fluctuation reflecting the high variability of a node s trust value over a time window. Ebinger et al. [3] introduced a cooperative intrusion detection method also for MANETs based on trust evaluation and reputation exchange. They split the reputation information into trust and confidence for reputation exchanges and then combine them into trustworthiness for intrusion detection. In WSNs, several trust management protocols [4, 5, 7] have been proposed for network security, data integrity, and secure routing. However, most work only considered a flat WSN structure. Notably Shaikh et al. [7] proposed a group-based trust management scheme for clustered WSNs. Their hierarchical structure used is similar to our work. However, they only considered QoS metrics (e.g., message delivery ratio in a time window) based on direct observations and no IDS design or evaluation was discussed. To the best of our knowledge, our work is the first to use trust to implement intrusion detection functionality and evaluate its effectiveness for clustered WSNs. II. SYSTEM MODEL We consider a clustered WSN consisting of multiple clusters, each with a cluster head (CH) and a number of SNs in the corresponding geographical area with CHs having more

2 computational and energy resources than SNs. The CH in each cluster may be selected based on an election protocol such as HEED [9]. A SN forwards its sensor reading to its CH and the CH then forwards the data to the base station or a destination node (or sink node) through other CHs. Our trust-based IDS scheme considers the effect of both social trust and QoS trust on trustworthiness or maliciousness. In the literature, social trust may include friendship, honesty, privacy, similarity, betweenness centrality, and social ties (strengths) [2]. QoS trust may include competence, protocol conformance, reliability, task completion capability, etc. In this work, we adopt honesty to measure social trust derived from social networks and adopt energy (for measuring competence) and cooperativeness to measure QoS trust derived from communication networks, as these can be considered as indicators of trustworthiness. The honesty trust component is measured through evidences of dishonesty such as false selfreporting [, 5], trust fluctuation [8] and abnormal trust recommendations (i.e., outliers relative to recommendations received from other recommenders). The energy trust component provides a piece of evidence because a compromised node usually performs energy-consuming attacks, such as disseminating bogus messages. Lastly, a compromised node usually manifests itself as being uncooperative because of selective forwarding or message dropping attacks to disrupt message routing in WSNs. We assume a cognitive WSN in which a smart SN may adjust its behavior dynamically according to its own operational state and environmental conditions. A SN not necessarily compromised may become uncooperative just to save its energy. The uncooperative behavior is typically reflected by stopping sensing functions and arbitrarily dropping messages. If not compromised, an uncooperative SN may become cooperative to serve system goals such as service availability if few cooperative neighbor nodes are around. A SN is more likely to be compromised when it has low energy (because a node with high energy may perform better energyconsuming defenses against attackers), or when it has more compromised neighbors around. A compromised SN can perform strong attacks such as black hole attacks, goodmouthing attacks (recommending a bad node as a good node), and bad-mouthing attacks (recommending a good node as a bad node) through which it exhibits dishonest behaviors, and weak attacks such as message dropping, and selective packet forwarding through which it exhibits uncooperative behaviors. After a SN or CH is compromised, it will consume more energy to perform attacks. Such attack behaviors are manifested as evidences against the honesty, energy, and cooperativeness trust properties. III. HIERARCHICAL TRUST MANAGEMENT FOR INTRUSION DETECTION Our hierarchical trust management protocol maintains two levels of trust: SN-level trust and CH-level trust. Each SN evaluates other SNs in the same cluster while each CH evaluates other CHs and SNs in its cluster. The peer-to-peer trust evaluation is periodically updated based on either direct observations or indirect observations. When two nodes are neighbors within radio range, they evaluate each other based on direct observations via snooping or overhearing. Each SN sends its trust evaluation results toward other SNs in the same cluster to its CH. Each CH performs trust evaluation toward all SNs within its cluster. Similarly, each CH sends its trust evaluation results toward other CHs in the WSN to the base station. The base station performs trust evaluation toward all CHs in the system. Our peer-to-peer trust evaluation process considers three different trust components as described earlier, namely, honesty, energy, and cooperativeness. The trust value that node i evaluates toward node j at time t,, is represented as a real number in the range of [0, ] where indicates complete trust, 0.5 ignorance, and 0 distrust. is computed by: () where w, w 2, and w 3 are weights associated with these three trust components with w + w 2 + w 3 =. A. Peer-to-Peer Trust Evaluation This section describes how peer-to-peer trust evaluation is conducted, particularly between two SNs or two CHs. Specifically, when a trustor (node i) evaluates a trustee (node j) at time t, it updates where X indicates a trust component as follows:,, and are hop neighbors; avg, (2), otherwise. In Equation 2, if node i is a -hop neighbor of node j, node i will use its direct observations, and past experiences ( where is a trust update interval) toward node j to update. A parameter (0 is used here to weight these two contributions and to consider trust decay over time. If the application context knowledge justifies placing higher trust on recent direct observations over past experiences, a larger (greater than 0.5) may be used; otherwise equal weighting with 0.5 may be considered. Here, indicates node i s trust value toward node j based on direct observations accumulated over the time period 0, possibly with a higher priority given to recent interaction experiences over the time period,. Below we describe how each trust component value, can be obtained based on direct observations:, : This refers to the belief of node i that node j is honest based on node i s direct observations toward node j. Node i can monitor node j s dishonesty evidences including abnormal trust recommendations, false self-reporting [, 5], and trust fluctuation [8] over the

3 time period 0, to estimate,., : This indicates the percentage of energy remaining in node j that node i directly observes at time t. As a neighbor, node i can overhear or even monitor node j s packet transmission activities over the time period 0, to estimate,., : This provides the degree of cooperativeness of node j as evaluated by node i based on direct observations over the time period 0,. Node i can apply overhearing or snooping techniques to detect uncooperativeness behaviors such as packet dropping or selective forwarding and may give recent interaction experiences a higher priority over old experiences in estimating,. On the other hand, if node i is not a -hop neighbor of node j, node i will use its past experiences ( ) and recommendations (, where k is a recommender) to update. A parameter γ is used here to weight these two contributions and to consider trust decay over time as follows: (3) Here we introduce another parameter 0 to specify the impact of indirect recommendations on such that the weight assigned to indirect recommendations is normalized to relative to assigned to past experiences. Essentially, the contribution of recommended trust increases proportionally as either or increases. Instead of having a fixed weight ratio to for the special case in which, we allow the weight ratio to be adjusted by changing the value of and test its effect on protocol resiliency against malicious recommendation attacks, such as good-mouthing and badmouthing attacks. Here, is node i s overall trust value toward node k as a recommender (for node i to assess if node k provides correct information). Note that node i can choose all its -hop neighbors as recommenders. The new trust value in this case would be the average of the combined trust values of past trust information and recommendations collected at time t. B. Trust-based Intrusion Detection Each SN reports its trust evaluation toward other SNs in the same cluster to its CH. The CH then applies statistical analysis principles (such as Equation 4 below) to values received to perform CH-to-SN trust evaluation toward node j. Our trustbased IDS is based on selecting a system minimum trust threshold below which a node is considered compromised and needs to be excluded from sensor reading and routing duties. Specifically a CH, c, when evaluating a SN, j, will perform intrusion detection by comparing the system minimum trust threshold with node j s trust value,, obtained by: avg (4) where is the set of SNs in the cluster. CH c will announce j as compromised if is less than ; otherwise, node j is not compromised. Note that we only take into account the trust values received from those SNs which are not considered compromised by the CH. The CH can also leverage values received from SNs in its cluster to detect if there is any outlier as a piece of evidence against dishonesty. IV. PERFORMANCE MODEL We develop a probability model based on SPN techniques to describe the behaviors of each SN or CH, with the objective to yield energy, cooperativeness and maliciousness (for honesty) status of a node dynamically. We choose SPN as our analytical tool due to its capability to represent a large number of states for complex systems. Leveraging SPN model outputs which provide actual status of SNs and CHs in the system dynamically, we are able to accurately predict peer-to-peer trust values obtainable by each SN or CH, and, consequently, evaluate the performance of the trust-based IDS scheme. A. A Probability Model for Describing Node Behaviors Figure : SPN Model for a Sensor Node or a Cluster Head. Figure shows the SPN model that describes the behaviors of a SN (or a CH). Without loss of generality, we consider a WSN consisting of N SN SNs uniformly distributed in an M by M square-shaped operational area and N CH CHs. Each SN is attached to a CH based on its location. CHs and SNs have radio range of R and r, respectively. The trust update interval is. All nodes are stationary after the initial deployment. Below we explain how we construct the SPN model for describing the behaviors of a single node. Energy: Place Energy represents the remaining energy level of the node. The initial number of tokens in place Energy is set to. A token will be released from place Energy when transition T_ENERGY is triggered. The rate of transition T_ENERGY indicates the energy consumption rate. A CH consumes more energy than a SN. The energy consumption rate is affected by a node s state. It is higher when a node is compromised because it takes energy to perform attacks. We denote, and as the amount of energy consumed per time for a normal SN, a normal CH, and a compromised node, respectively, which can be obtained by analyzing historical data with. The energy consumption rate is multiplied with (0 ) if the node is uncooperative. Uncooperativeness: We model the uncooperative behavior as follows: A node may become uncooperative to save energy.

4 An uncooperative node may stop reading data and drop packets it receives. A node will decide if it wants to become uncooperative upon every time interval according to its remaining energy and the number of cooperative neighbors. Also a compromised node is likely to be uncooperative as it performs weak attacks such as packet dropping or selective packet forwarding. An uncooperative node can redeem itself to become cooperative upon every trust update interval ( ). We model these behaviors by putting a token into place Uncooperative when transition T_UNCOOPERATIVE is triggered or by removing the token from place Uncooperative when transition T_REDEMP is triggered. A token in place Uncooperative thus indicates that the node is uncooperative. A node s uncooperative probability is modeled by: 2 (5) where is energy consumed and is the node s initial energy level. Thus / represents the percentage of energy consumed. / is the percentage of cooperative neighbors where is the number of cooperative neighbors and is the total number of neighbors. This models the behavior that a node s uncooperative probability tends to be lower when the node has more energy and higher when the node has more cooperative neighbors as there are sufficient cooperative neighbors around to take care of sensor tasks. It also models the behavior that a compromised SN is likely to be uncooperative when it has low energy, thus performing only weak attacks such as packet dropping. Thus, the rates of transitions T_UNCOOPERATIVE and T_REDEMP are given by / and / respectively. Initially all nodes are cooperative with no token in place Uncooperative. Maliciousness: A node is compromised when transition T_COMPRO fires and a token is put in place Compromised. The rate of transition T_COMPRO is modeled by: (6) where is the initial node compromising rate which can be obtained by first-order approximation based on historical data about the targeted network environment. and indicate a node s initial energy and remaining energy, respectively. and are the numbers of compromised and healthy nodes in the neighborhood. / refers to the ratio of the number of compromised -hop neighbors to the number of healthy (uncompromised) -hop neighbors. Equation 6 models the behavior that a node is more likely to become compromised when it has low energy because it may not spare its energy to perform energy-consuming defense mechanisms, or when there are many -hop neighboring compromised nodes around it because of collusive attacks. Note that all nodes are healthy, i.e., not compromised, initially. The overall performance model for describing the collective behavior of a WSN consists of N SPN subnet models, one for each SN, and N CH SPN subnet models, one for each CH, each with different energy consumption, uncooperative/redemption and compromise rates. Below we describe how one could leverage SPN outputs to obtain peer-to-peer trust values as the basis for performance evaluation of our proposed trust-based intrusion detection scheme. B. Trust Evaluation Recall that under our trust management protocol, node i will subjectively assess its trust toward node j,, based on its direct observations and indirect recommendations obtained toward node j according to Equations and 2. In particular, node i will apply snooping or overhearing techniques to monitor node j closely to compute, based on direct observations over the time period 0,. As a result,, computed by node i will fairly accurately reflect actual status of node j at time t. Leveraging the SPN model developed which provides actual status of each node dynamically, we can easily compute,,,, and, by simply checking the status of node j at time t in node j s SPN model as listed in Table. Once, is computed, node i will compute based on Equation 2 and subsequently compute based on Equation. Each SN then reports its trust evaluation values to its CH for CH-to-SN trust evaluation and CH-SN intrusion detection based on Equation 4. The same procedure is applied for base station-to-ch intrusion detection. Table : Computing, for Component X based on Actual Node Status., Value Status (of node j), If mark(compromised) = 0 0 Otherwise, mark(energy)/e init, If mark(uncooperative) = 0 0 Otherwise C. Performance of Trust-based Intrusion Detection We develop a statistical method to predict the performance (i.e. false positives and false negatives) of our trust-based IDS scheme. Recall that in Equation 4, each CH, c, receives trust evaluation values toward node j, s, from n SNs (not diagnosed as compromised) and uses the mean value,, to decide whether node j is compromised or not. Statistically, c should announce node j as compromised if the expected trust value toward node j,, is below the threshold ; otherwise, node j is announced as healthy. Consider that the trust value toward node j is a random variable and s submitted by n SNs are n samples of this random variable. Then we have a random variable following t- distribution with n - degree of freedom: (7) /

5 where and are sample mean and sample standard deviation of node j s trust value, respectively. Thus, the probability that node j is diagnosed as a compromised node at time t is: Θ Pr Pr / (8) The false positive of the IDS can be obtained by calculating Θ under the condition that node j is not compromised. Similarly, the false negative probability can be obtained by calculating Θ under the condition that node j is compromised. Pr / (9) Pr (0) / Equations 9 and 0 give the false positive probability,, and false negative probability,, of our proposed trust-based intrusion detection scheme at time t, respectively. and are the mean value and standard deviation of node j s trust values reported by other nodes in the same cluster, under the condition that node j is not compromised. and are the mean value and standard deviation, under the condition that node j is compromised. and can be easily obtained by applying the Bayes theorem to the calculation of. and vary over time. The average false positive and false negative probabilities, denoted by and, can be obtained by weighting on the probability of node j being compromised at time t, i.e., () (2) where is the probability that node j is compromised at time t which can be obtained from the SPN model output, and L is the anticipated WNS lifetime period over which the weighted calculation is performed. V. NUMERICAL RESULTS In this section, we show numerical results obtained from the performance model described in Section IV. Table 2 lists default parameters used. We consider a WSN with 400 SNs and 25 CHs uniformly distributed in a 400m 400m area. The WSN is deployed in a hostile environment with the node s average compromising interval in the range of [320hrs, 440hrs]. We consider the worst case of good-mouthing (providing the highest trust value for a malicious node) and bad-mouthing attacks (providing the lowest trust value against a good node). The initial trust value is set to since all nodes are initially healthy (uncompromised) and cooperative. Table 2: Default Parameter Values Used. Param Value Param Value Param Value M 400m R 50m r 50m N SN 400 N CH 25 Δt 80hrs α 0.5 β.0 /λ c-init [320,440]hrs Δ E-SN 80hrs Δ E-CH 60hrs Δ E-compromised 240hrs /3 T s [80,480]hrs w,w 2,w 3 /3 E init [360,480] days for SNs, [720,960] days for CHs. overall trust value time (days) Figure 2: Trust Evaluation. Figure 2 compares the overall trust (using equal weighting with w :w 2 :w 3 =/3:/3:/3) toward a SN randomly picked with the node s compromising interval varying from 320hrs to 440hrs. We observe that the trust value of a node with a higher compromising rate drops more quickly, which makes it easy to detect by our trust-based IDS scheme. false alarm prob /λc-init=440hrs /λc-init=960hrs /λc-init=320hrs False Positive False Negative time (days) Figure 3: False Alarm Probabilities as a Function of Time. Figure 3 shows the false positive and false negative probabilities of our trust-based intrusion detection scheme as a function of time t with L = 00 days and T th =. We first note that false negatives are due to IDS bad nodes as good nodes, the effect of which is especially pronounced when t is small at which a bad node s trust level is likely to be high since all nodes have high energy and cooperativeness trust values initially. On the other hand, false positives are due to IDS misidentifying good nodes as bad nodes, the effect of which is especially pronounced when t is large at which a good node s trust value is likely to be low as much energy is consumed and a good node may exhibit uncooperative behaviors to save energy. This is the trend exhibited in Figure 3. When t is small, the false negative probability is high because initially the trust value of every node is high and thus IDS is more likely to miss a compromised node. As time progresses, the false negative probability drops but the false positive probability increases slowly since the trust value becomes lower and the IDS is more likely to misdiagnose a good node as compromised. We observe that after the initial warm-up period after nodes have a chance to perform peer-to-peer trust evaluation and the trust values are summarized for trust-based intrusion detection, we

6 can obtain acceptable low false alarms during most of the useful network lifetime. false alarm prob. false alarm prob optimal trust threshold (T th,opt ) False Positive - L=00days False Negative - L=00days Trust Threshold (T th ) Figure 4: False Alarm as a Function of T th with L=00 days. False Positive - L=00days False Negative - L=00days False Positive - L=240days False Negative - L=240days False Positive - L=480days False Negative - L=480days Trust Threshold (T th ) Figure 5: False Alarm as a Function of T th with Varying L L (days) Figure 6: Optimal Trust Threshold as a Function of L. Figure 4 shows the sensitivity of the false alarm probability with respect to the system minimum trust threshold T th below which a node is considered compromised. We use Equations and 2 for the weighted calculation of false positive and false negative probabilities over the time period [0, 00] days. One can note that as the minimum trust threshold, T th, increases, the overall false negative decreases while the overall false positive increases. There exists an optimal trust threshold T th,opt at which both false negative and false positive probabilities are minimized. For L=00 days and the network environment characterized by the set of parameter setting as listed in Table 2, the optimal trust threshold T th,opt is in the range of [0.70, 0] at which both false positive and false negative probabilities are lower than 0.0. Figure 5 shows the same as Figure 4, except that we vary the anticipated network lifetime L from 00 to 480 days in the calculation of the false alarm probability. We observe from Figure 5 that the optimal trust threshold T th,opt shifts toward left (becoming lower) as the anticipated WSN lifetime L increases. Figure 6 shows that the optimal trust threshold T th,opt decreases as the anticipated network lifetime (L) increases because a node s trust value decreases over time due to energy depletion even if the node is not compromised. VI. CONCLUSION In this paper, we proposed a trust-based IDS scheme leveraging a hierarchical trust management protocol for WSNs. We considered a composite trust metric deriving from both social trust (honesty) and QoS trust (energy and cooperativeness) as an indicator of maliciousness. We developed a probability model based on SPN techniques to describe the behaviors of SNs or CHs for trust evaluation and intrusion detection, as well as a statistical method to predict the false alarm probabilities of the trust-based IDS scheme. The experimental results show that a node with high compromising rate can be easily detected, thus supporting the idea of using trust to implement IDS functionality. We analyzed the sensitivity of false alarm probabilities with respect to the minimum trust threshold below which a node is considered compromised, and we discovered that there exists an optimal trust threshold at which both false positive and false negative probabilities are minimized and that the optimal trust threshold decreases as the network lifetime increases. There are several future research directions, including (a) considering more social trust components other than honesty and studying their effects on false alarms; (b) devising and validating a decentralized CH trust evaluation scheme for autonomous WSNs without base stations; (c) investigating the impact of the number of clusters and the trust update interval to protocol performance; (d) conducting a comparative performance analysis of existing trust-based IDS techniques for WSNs, and (e) investigating the feasibility of using trust to implement IDS functionality in more dynamic networks such as mobile WSNs or MANETs. REFERENCES [] X. Chen, K. Makki, K. Yen, and N. Pissinou, Sensor network security: a survey, IEEE Communication Surveys & Tutorials, vol., no. 2, June 2009, pp [2] E.M. Daly and M. Haahr, Social network analysis for information flow in disconnected delay-tolerant MANETs, IEEE Transactions on Mobile Computing, vol. 8, no. 5, May 2009, pp [3] P. Ebinger and N. Bibmeyer, TEREC: Trust evaluation and reputation exchange for cooperative intrusion detection in MANETs, 7 th Annual Comm. Networks and Services Research Conf. 2009, pp [4] S. Ganeriwal, L.K. Balzano, and M.B. Srivastava, Reputation-based framework for high integrity sensor networks, ACM Transitions on Sensor Network, vol. 4, no. 3, May [5] K. Liu, N. Abu-Ghazaleh, and K.-D. Kang, Location verification and trust management for resilient geographic routing, J. Parallel and Distributed Computing, vol. 67, no. 2, 2007, pp [6] A. Mishra, K. Nadkarni, and A. Patcha, Intrusion detection in wireless ad hoc networks, IEEE Wireless Communications, vol., no., 2004, pp [7] R.A. Shaikh, H. Jameel, B.J. d Auriol, H. Lee, S. Lee, and Y.J. Song, Group-based trust management scheme for clustered wireless sensor networks, IEEE Transactions on Parallel and Distributed Systems, vol. 20, no., Nov. 2009, pp [8] F. Wang, C. Huang, J. Zhang, and C. Rong, IDMTM: A novel intrusion detection mechanism based on trust model for ad hoc networks, 22 nd IEEE International Conference on Advanced Information Networking and Applications, 2008, pp [9] O. Younis and S. Fahmy, HEED: A hybrid energy efficient, distributed clustering approach for ad hoc sensor network, IEEE Transaction on Mobile Computing, vol. 3, no. 3, 2004, pp [0] Y. Zhang, W. Liu, W. Lou, Y. Fang, and Y. Kwon, AC-PKI: anonymous and certificateless public-key infrastructure for mobile ad hoc networks, 40 th IEEE International Conference on Communications, May 2005, pp